Publications

Hacking Blind

Abstract:
We show that it is possible to write remote stack buffer overflow exploits
without possessing a copy of the target binary or source code, against services
that restart after a crash. This makes it possible to hack proprietary
closed-binary services, or open-source servers manually compiled and installed
from source where the binary remains unknown to the attacker. Traditional
techniques are usually paired against a particular binary and distribution where
the hacker knows the location of useful gadgets for Return Oriented Programming
(ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets
to perform a write system call and transfers the vulnerable binary over
the network, after which an exploit can be completed using known techniques.
This is accomplished by leaking a single bit of information based on whether a
process crashed or not when given a particular input string. BROP requires a
stack vulnerability and a service that restarts after a crash. We implemented
Braille, a fully automated exploit that yielded a shell in under 4,000 requests
(20 minutes) against a contemporary nginx vulnerability, yaSSL + MySQL, and a
toy proprietary server written by a colleague. The attack works against modern
64-bit Linux with address space layout randomization (ASLR), no-execute page
protection (NX) and stack canaries.